Show vulnerabilities with patch / with exploit
25 June 2020

CryptoCore gang has stolen over $200M from cryptocurrency exchanges


CryptoCore gang has stolen over $200M from cryptocurrency exchanges

A mysterious hacker group is targeting online cryptocurrency exchanges by launching spear phishing attacks against employees and executives. The group, tracked as CryptoCore, Dangerous Password or Leery Turtle, is believed to have stolen more than $200 million fr om online cryptocurrency exchanges since 2018, according to a new report from the cyber-security firm ClearSky.

The group believed to be operating out of Eastern Europe region (Ukraine, Russia or Romania in particular) has been active since at least May 2018. In the first half of 2020 CryptoCore slowed down it activity, possibly due to the COVID-19 pandemic limitations, but did not stop altogether.

According to the researchers, while the CryptoCore group is not extremely technically advanced, it is swift and effective. The group mainly targets cryptocurrency exchanges in the United States, Japan, and the Middle East.

“The key goal of CryptoCore’s heists is to gain access to cryptocurrency exchanges’ wallets, be it general corporate wallets or wallets belonging to the exchange’s employees. For this kind of operation, the group begins with an extensive reconnaissance phase against the company, its executives, officers and IT personnel,” the report said.

To achieve their goal, the hackers leverage spear phishing attacks, primarily targeting the executives’ personal email accounts.

“Infiltrating the personal email accounts is an optional phase; however, it’s a matter of hours to weeks until the spear-phishing email is sent to a corporate email account of an exchange’s executive,” according to the report.

Typically, phishing messages are disguised as emails from a high-ranking employee either from the target company or from another organization with ties to the targeted employee.

Once gaining an initial foothold on the system, the hackers attempt to gain access to the victim’s password manager account wh ere the keys of crypto-wallets and other valuable assets are stored. The attackers then disable multi-factor authentication, and start transferring funds out of the exchange’s “hot wallets.”

Back to the list

Latest Posts

Weekly security roundup: July 13, 2020

Weekly security roundup: July 13, 2020

A short overview of last week's top stories in the world of cyber security.
13 July 2020
Hackers are attempting to exploit recent Citrix vulnerabilities

Hackers are attempting to exploit recent Citrix vulnerabilities

Citrix downplayed the impact of the vulnerabilities and said they are less likely to be exploited compared to CVE-2019-19781.
13 July 2020
Zoom patches critical bug affecting Zoom client for Windows

Zoom patches critical bug affecting Zoom client for Windows

The company has also released a planned update for Phone and Web users, which brings AES-256 bit encryption.
13 July 2020